[187771] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Mark Andrews)
Fri Feb 26 01:27:21 2016
X-Original-To: nanog@nanog.org
To: Mikael Abrahamsson <swmike@swm.pp.se>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Fri, 26 Feb 2016 07:20:28 +0100."
<alpine.DEB.2.02.1602260718460.11524@uplift.swm.pp.se>
Date: Fri, 26 Feb 2016 17:27:07 +1100
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
In message <alpine.DEB.2.02.1602260718460.11524@uplift.swm.pp.se>, Mikael Abrah
amsson writes:
> On Thu, 25 Feb 2016, Jared Mauch wrote:
>
> > Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work.
>
> Speaking of which, historically ISPs have been blocking TCP/135, TCP/445
> and a few others towards customers (at least that's what I know). TCP/25
> seems to be blocked as well.
>
> Why isn't UDP/53 blocked towards customers? I know historically there were
> resolvers that used UDP/53 as source port for queries, but is this the
> case nowadays?
>
> I know providers that have blocked UDP/53 towards customers as a
> countermeasure to the amplification attacks. As far as I heard, there were
> no customer complaints.
Because complaining is like talking to a brick wall most of the
time. People work around the ISP idiocy by shifting ports, its
easier than trying to get through help desk hell.
> --
> Mikael Abrahamsson email: swmike@swm.pp.se
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
